Microsoft online store hack reveals passwords stored as plain text

There’s nothing like waking up in the morning and finding out that one of your online accounts has been compromised by a hacker group. This is exactly what happened to customers of Microsoft’s online store in India over the weekend. A hacker group called the “Evil Shadow Team” was able to take control of the site, and in so doing exposed the fact that Microsoft stores user passwords in plain text.

It’s unclear at this point what the group was trying to accomplish with its attack on the online store, but exposing the lack of security might have been excuse enough. Affiliation with the hacktivist group Anonymous is suspected due to the use of the now infamous Guy Fawkes mask. However, according to Chinese site HackTeach, the Evil Shadow Team is a newly formed group, with this action being its opening salvo.

Microsoft has now regained control of the online store, taken the site offline, and posted a message saying that maintenance is being carried out. If you live in India and have an account with the Microsoft’s online store, I suspect you’ll be getting an email from Microsoft in the near future with a password reset link. If you use the same password and email addresses across different sites, now is the time to go and change them. Hackers are in possession of your Microsoft password, and chances are they will attempt to use it on other popular services.

Microsoft is now in a position where it needs to explain how this happened, but also why passwords are being stored unencrypted. With so many sites being compromised, it’s just totally unacceptable not to take more precuations with user data online.